What Thunderf00t did, and how.

By now, I’m certain you’ve read Phil Mason’s, AKA Thunderf00t’s, confession about how he’s done exactly what people have accused him of: accessing the back channel after being kicked off the blog.

He spins himself as a whistleblower about vast conspiracies within Freethought Blogs, how we’re looking to destroy people’s careers every time we commiserate with one another about someone who’s aggrieved us. How this back channel operates like a “clique” where achievements are lauded, messages amplified, and disagreements mocked mercilessly. In other words, it’s a social club for people who choose to participate, to help spread collegiality amongst our bloggers and support one another when under attack. As such, considering that many of these private thoughts are not fights we wish to pick publicly and how Thunderf00t now controls what fights we have with whom because of misplaced trust in what happened to be a compromised listserv, Thunderf00t now gets to control much of the dialog of this blog network.

How very conspiratorial.

You’ve probably also heard that he “doesn’t Doc Drop” in the same post where he violates several folks’ privacy in ways that amount to logistical hair-splitting — and worse yet, we have only his word to go on that he’ll take pains to protect the identity of those pseudonymous bloggers among us who have everything to lose. His word that he’s a good guy, all while he’s engaging in other gross violations of trust.

There are lots of reasons why people had every expectation that the FtB back channel was private, which Greta itemizes. Ashley weighs in on the issue out of pure outrage for the very real personal danger that Natalie Reed is in as a result of an accidental or intentional leak of her personal information, to the point where she’s put off of the atheist movement altogether. Stephanie deconstructs his chosen frame, given that Wikileaks this ain’t. And Zinnia is agog at the sheer disrespect for the very concept of privacy.

I helped Matt, our webmaster, investigate the breach. I will have to, by necessity, describe exactly what went wrong and why.

Server-side, we (up until recently) used a program called Mailman to handle the mailing list functionality for our server. It is a very mature codebase, with no if any known technical exploits for the version we were using. Configuration and security, however, is another story.

Mailman apparently never expires an invitation ticket — once you’re invited to a mailing list, the original email you receive asking for your confirmation allows you to log back in and thus rejoin if you’re ever kicked off. This produces no confirmation email to the administration under the default settings. This is probably by design, or a design oversight — Mailman was likely always intended to run mail lists that were free to join and leave, and only secondarily running private invite-only lists.

Thunderf00t was added with the batch of Youtube vloggers we brought on board:

Jun 07 11:07:01 2012 (23765) [list addy]: new [Thunderf00t’s Hotmail address], admin mass sub

When Thunderf00t was booted from the network, Ed got email confirmation that he was removed. Thunderf00t would have gotten a message saying he’d been unsubscribed. The logs also show it:

Jul 01 09:46:54 2012 (7837) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

But they show more.

Jul 01 09:53:03 2012 (8689) [list addy]: pending [Thunderf00t’s Hotmail address] 78.80.[xxx.xxx — IP resolving to Czech Republic, either he was there or using a Tor proxy]
Jul 01 09:53:31 2012 (8716) [list addy]: new [Thunderf00t’s Hotmail address], via web confirmation

Less than ten minutes after he was booted from the mailing list he rejoined using the original auth ticket, and none of us were the wiser.

A month later, we were tipped off that he’d been leaking emails from our list to people in our community, stirring up shit that we simply hadn’t been publicly stirring up ourselves. We immediately started pursuing legal advice on the matter, and Matt booted him and changed the settings so all list changes had to be directly approved by an administrator even with a valid invite ticket.

Aug 02 18:10:38 2012 (12417) [list addy]: deleted [Thunderf00t’s Hotmail address]; member mgt page

The logs show that he immediately attempted to get back on again:

Aug 02 18:19:46 2012 (13060) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:20:51 2012 (13133) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:21:52 2012 (13212) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:22:42 2012 (13266) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:30:10 2012 (13841) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:33:02 2012 (13976) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:35:31 2012 (14100) Login failure with private rosters: [Thunderf00t’s Hotmail address]
Aug 02 18:36:09 2012 (14150) Reminder attempt of non-member w/ private rosters: [Thunderf00t’s Hotmail address]

The reminder attempt log lines are instances of him attempting to use the password reminder form to get back in, assuming we’d locked him a different way than just deleting his account again. Ed would have been prompted to let him in if he’d actually requested directly, via the option to “join the list” on the Mailman page, and to my knowledge he didn’t try that — he only tried the easier options that were less likely to trigger repercussions. I cannot ascribe motivations on this, but it seems fairly self-evident why he wouldn’t directly ask to be let back on.

The log files show the date and time of the very last email our mail server sent to Thunderf00t:

2012-08-02 18:10:39 1Sx6PX-0003EI-MH < = [FtB’s postmaster address] H=localhost (dev.freethoughtblogs.com) [::1]:51819 P=esmtp S=985 id=mailman.0.1343956238.12417.[old FtB list address] T=”You have been unsubscribed from the Freethoughtbloggers mailing list” for [Thunderf00t’s Hotmail address]

So he’s off the list again. This time for good. We’re not even using that software any more, so I feel relatively safe in explaining all this.

Update: See also Ed’s statement on the matter, and PZ’s.

Update 2: Charly posted the following below:

As further evidence that this is real I can attest, that Thundef00t was indeed in Czech Republic. I have first hand information from admin of czech atheist organization website, that he and some other czech atheist activists met Thuindef00t in Prague.

Additionally, I’m putting a strict moratorium on speculation about legal actions. While there are possible routes of action FtB can take, we have not yet squared away all of this with the lawyer we apparently have on retainer for this issue. I’ve told you everything I can, and will not post unexpurgated logs publicly both out of respect for Thunderf00t’s privacy and for the potentiality of messing with any future legal remedies we may or may not attempt.

{advertisement}
What Thunderf00t did, and how.
{advertisement}
The Orbit is still fighting a SLAPP suit! Help defend freedom of speech, click here to find out more and donate!

135 thoughts on “What Thunderf00t did, and how.

  1. 1

    I’d have posted it way sooner, but I needed to be sure I wasn’t going to screw with any potential legal actions we might be forced to take to get him to destroy what he’s stolen.

  2. 2

    […] The Freethoughtblogs network was recently informed that former Freethoughtblogs blogger thunderf00t has been forwarding private emails from the private FTB email list. He has not only been forwarding emails sent during the short time he was a blogger on this network — he used a security loophole to re-gain access to the email list shortly after he was fired from the network and blocked from the list, and has been accessing emails he never had any right to see. When this security breach was discovered and he was shut out again, he tried several times to re-access the private list. And he has already made the content of some of those emails public. (UPDATE: If you want to know exactly what thunderf00t did and how, Jason Thibeault has the technical details.) […]

  3. 3

    Thank you for posting this Greg – there’s a lot of confusion out there about what TF did and how he did it. I wouldn’t call it “hacking” in the most technical sense (ie. he didn’t use any exploits or brute-force methods, or crack the box itself) but it’s definitely hacking in the “accessing a private server you have no legal right to access” sense. I hope you guys are treating this as seriously as it deserves – illegally accessing a system is bad juju, regardless of whether the owners of that system took every action they could to keep the unauthorized person out.

    Thanks again, and I hope you get a chance to enjoy the weekend.

  4. 4

    Err, who’s Greg?

    Yes, if you subscribe to the Richard M. Stallman school of linguistics, this isn’t “hacking”, it’s “cracking”. Unauthorized access of a system, no matter how easy it is, is still unauthorized access and still morally questionable at absolute best, legally questionable at worst. It takes a special sort of broken moral compass to think what he was doing was “right”.

  5. 6

    Crap, what a fail. Personally, I blame my fingers, but they’re pointing all the blame back to my brain. Stupid brain. Anyway, thanks again, and apologies for the namefail.

  6. 7

    the very real personal danger that Natalie Reed is in as a result of an accidental or intentional leak of her personal information, to the point where she’s put off of the atheist movement altogether.

    “Mission Accomplished” I fear.

  7. 9

    Hacking in the general sense is ‘using resources in a way not originally intended by the system’. Some people extend the definition to ‘life hacks’, for instance the first example from this link where the direction of the coat hangers in your closet can be used as a way to gain information on what clothes you’re not using (and could therefore donate).

    http://www.buzzfeed.com/eduardoleon/35-life-hacks-you-should-know-ga9

    So in that sense, what TF did was a hack, as he reused the authorisation ticket from his initial join on the listserv to rejoin the listserv after being booted off. It is a very low level hack, as far as computer skills go, but it qualifies. Hacking is not always something that takes computer genius to accomplish.

  8. 10

    (ie. he didn’t use any exploits or brute-force methods, or crack the box itself)

    I’d call reusing an old invite an “exploit”.

  9. 12

    Seriously? So law wouldn’t care about B&Es that happen because a window was left unlatched? Or more accurately, because the latch we thought we had actually is very easy to open if you just shimmy the window to the left a bit?

  10. 13

    Jason,

    Analogies are not very useful when doing statutory analysis.

    At a federal level (if Thunderfoot is in a different state from the computer system he gained access to), the relevant statute is 18 USC 1030 . The key element of the offense is whether TF “intentionally accesses a computer without authorization or exceeds authorized access.” As his only access of the computer was using a legitimate authorization ticket, it may be difficult to prove up intentionally unauthorized access.

  11. 14

    Quinn, it was no longer a legitimate authorization ticket. By removing him from the listserv they showed that they no longer wanted him to access the system. The fact that they forgot to “close the door after him” doesn’t change the fact they removed his access, and that he took steps to regain that access without their knowledge.

  12. 15

    Here’s another analogy: consent to be on that list was expressly revoked when we kicked him off. It’s like he was booted from his apartment but nobody knew he had a copy of the key. It doesn’t matter that we didn’t immediately change the locks until we realize he’d been squatting silently in the apartment.

  13. 18

    Aaaaaaand this would be where I finally (at long last) unsubscribe from TF’s youtube channel, abandoning the pretense that ‘well, ok, but at least his youtube videos on creationism are worthwhile.’ He has completely discredited himself in all of this.

    Moving on.

  14. 19

    Yes, the ease of the exploit changes my evaluation of how likely criminal action is. The civil side is a different question and depends on a lot of facts I don’t have access to.

  15. 20

    @15: Indeed; ability to access a system and permission to do so are two completely different things (one could have either without the other, both, or neither). If I have a “Private Property” sign up, but that’s the only thing stopping someone from entering the property, that person is still trespassing if they enter the property. I really don’t understand some of the weird apologetics that come up around these issues.

  16. 21

    :sigh: Why are we fighting in this movement?

    Because Rebecca Watson said “Guys, don’t do that.”

    We get enough of that from the religious.

    Do we? Up here in Canada, I get absolutely no guff for being an atheist whatsoever.

    However, racism, sexism, homophobia, and transphobia are all relevant issues.

    When I see the same sorts of things coming from ostensible allies in the movement that I do from the religious, I have to say I don’t feel any particular affinity for those in ‘the movement’.

  17. 24

    As further evidence that this is real I can attest, that Thundef00t was indeed in Czech Republic. I have first hand information from admin of czech atheist organization website, that he and some other czech atheist activists met Thuindef00t in Prague.

  18. 25

    From someone with experience, and who cares about FtB:

    Friendly advice to FtB bloggers—Do not discuss or even speculate about legal action you may or may not take. Everything you write would be discoverable and would be used against you by the opposing side. Resist the temptation to engage with commenters who go on about this that or the other applicable/inapplicable law.

    Friendly advice to FtB commenters—Do not badger bloggers about whether they’re going to take legal action or insist that they answer your questions. No party considering legal action will talk about it or lay out their cards in public unless they’re utterly foolish and disregarding legal advice. Please understand this and please don’t do it. Contemplating legal action is stressful enough and the good folks here don’t need more.

  19. F
    26

    The law? That is totally illegal unauthorized access. They’ve made cases of UA when it didn’t even really exist, so it is entirely enforceable. The authorities caring and pursuing a case? Completely different ball game. But best wishes for that, if it is the avenue FTB feels it needs to pursue.

  20. 27

    […] Jason has the technical details, including logs for evidence, in case you want them. Thunderf00t has confessed to breaching our privacy, but of course he’s trying to spin everything to make himself look like some sort of Wikileaks hero against the Big Bag Evil FtB Bullies. He insists that he doesn’t “doc drop,” even though in that very post he releases private statements from the mailing list. And we already have outside confirmation of people receiving mailing list emails through him. Keep diggin’ that hole! […]

  21. 28

    Charly: thank you for that further information, I’ve added it to the body of the post.

    Josh: fully and wholeheartedly agreed. We’re not lawyers, we have no legal training, and we must not screw ourselves over on this. Moratorium on legal speculation starts now, please and thanks.

  22. 29

    Considering you would have had to invite me to your backchannel to begin with.

    Thank you for posting the logs, Jason. Some people have been screaming “we want evidence” and this is it.

  23. 30

    I figured, based on what Zinnia and Ashley said on Twitter last night, that some technical stuff was coming. Anyway, that plus Thunderf00t’s bragging about doing it, is more than enough for most reasonable people. Though I suppose some will accuse you of making up the logs.

  24. 31

    Mailman apparently never expires an invitation ticket — once you’re invited to a mailing list, the original email you receive asking for your confirmation allows you to log back in and thus rejoin if you’re ever kicked off.

    Wow, that’s a huge omission in the design. Did the designers never think that someone might be banned for malicious behavior, something that would necessitate this person not being able to come back to the list?

    Also, PZ has been calling this a security exploit but I don’t know if I’d even call it that. There was no security setting to exploit, it wasn’t even built in. So the analogy being thrown around “going into a house because the door is unlocked” should more accurately be “going into a house because the door was built without locks.”

  25. 33

    But there was an option for a lock — the setting that requires an admin to approve every requested change to the list. That the setting was overlooked is probably partly because it’s poorly worded (because how I worded it is not how it’s worded in the panel!), partly because we’ve never had anyone try such a thing.

    The important thing is the intentionality of the action. Neither Loftus nor Greg Laden tried such a trick, proving their moral compasses significantly better than Thunderfoot, who either knew ahead of time how to do it, or figured out how to do it, in under ten minutes of being booted.

  26. 34

    A.R.: He would have been sent directly to his email every post on the mailing list between when he was kicked off, and when the breach was discovered. That’s from July 7th to August 2nd. It includes many discussions about people’s workplaces, issues they had with certain things that they couldn’t themselves discuss due to work confidentiality, people’s medical issues, revelations about people’s meatspace lives and names and other information that were told under the expectation that everyone reading the list was a colleague who would respect their privacy. Among other things, it included personal gripes about people, organizations and actions, that never became public fights, that will almost certainly become so without our permission — we now no longer control what fights we’re going to have from now until Thunderf00t exhausts his “wikileaks” database. Every private thought we’ve had that we shared with the list is forfeit.

    Greta’s post does a good job itemizing the concerns regarding what was leaked.

  27. 35

    I don’t know if any commenters’ personal info was shared during that time, but it’s possible, for spam prevention purposes or cross-referencing trolls. The only one that comes to mind immediately, though, is Dave Mabus. No great loss of privacy there. The main problem comes from the fact that there was an expectation of privacy, and much will be made of all the day-to-day blog sausagemaking that happened on that list. It will be scrutinized and poured over and pullquoted to make us look bad, if any of it is released publicly. It will do damage, for no other reason than because Thunderf00t’s feelings were hurt that we didn’t want him on the network after he proved to be a terrible person to ally with.

  28. 36

    @6: From what I’ve seen, TF’s moral compass seems limited to “Islam bad; me getting my my good.” He probably figures he didn’t really do anything unethical because this isn’t “real” cracking and he’s a whistleblowing hero.

  29. 37

    I’ve been doing some Googling about MailMan and it seems to be notorious for having security issues, although the complaints may all be about older versions of the software. You say you folks have shut down the listserv and are moving to new software – will you be moving to a different server as well? Not just a different OS, but a different box? Has TF shown any real “hacking” ability, or did he just get lucky in finding out the old invitation still worked? If it were me I’d be worried, not just about what TF might try next to get access, but whether or not he’s sending the address around to someone who actually has some ‘skillz’.

  30. 41

    (Yes, I know I’m on perma-mod, so I assume you’re seeing this first. But nothing I say here isn’t anytihng I haven’t said on T-f00t’s blog already.)

    First: Good job on the analysis. My initial hypothesis was that no one had actually removed him from the mailing list, but rather thought it had been done. I’ve seen that a few times. And yes, mailman’s setup info only vaguely resembles english.

    Second, and i think i need to say it here, given how often I criticise a few folks here: What Thunderf00t did was wrong. Period. My personal opinion of you or the rest of the FTB FC5 as I call them doesn’t justify what he did, nor does his own excuses for it. Regardless of how easy or hard it was, I find it unbelievable that he could have thought he had any reason to be on that mailing list. He’d been kicked off, that’s a pretty clear sign he wasn’t welcome. At the *very* least, he owes FTB a public apology, and not some bullshit nonpology either. His actions were sleazy, and if FTB decides to pursue legal action against him, that’s certainly justified. IANAL, but I do have *some* IT experience, and while getting the authorities to take this incident seriously may be difficult, (you can barely get them to take you seriously when someone’s gone in and wiped servers, but that’s another problem) at the very least, I’d report him to hotmail. That isn’t a legal action at all, that’s just administrative, and I think he’s earned that at least.

    Third, and this is something I’ve been dealing with professionally for two decades: the misconfiguration of mailman no more excuses what thunderf00t did any more than forgetting to lock your door excuses a random hobo from walking into your living room. He was kicked off the list. He didn’t ask to return, he just took advantage of an unlocked door and walked in to a place where he clearly wasn’t wanted. That’s not FTB’s fault, that’s not Ed’s fault, nor is it PZ’s, yours, greta’s, natalie’s, zvan’s or ophelia’s. The victim-blaming that happens because OMG, you didn’t have unassailable security and someone broke in is both stupid and inexcusable. FTB shouldn’t have HAD to lock that door, Thunderf00t knew he wasn’t welcome. Any and all blame for his actions in this case reside solely with him, no one else.

    I still don’t like you or the rest of the FC5, but this shit was wrong, it was thunderf00t’s fault, and given my profession, i’d be wrong not to say so here, (or at least give it an honest attempt.) I’m glad you were able to provide solid proof of what happened so that there’s less chance for “he said, she said”. Not that it’s not going to happen, but you did what you were supposed to here, and good on you for that.

  31. 44

    I knew Thunderfoot wasn’t a good guy, but it’s still kind of surprising he would risk potential legal sanctions just to acquire more “evidence” for furthering an ideological feud.

  32. 45

    The law does not work like a computer program: something you may think is a slam dunk may end up being nothing of the sort.

    Best to leave this to the actual lawyer. And don’t be surprised if the police or FBI do nothing.

  33. 50

    You’re welcome, but honestly, it seems to me that if one has the right to criticize, then one has other requirements imposed by the use of that right.

    If you are going to criticize someone when you think they are wrong, then when they are right, you have a responsibility to comment positively on that as well where appropriate. If you were to say, get married, I doubt I’d say anything here, we’re not friends. However, if you did something like, I dunno, rescue someone from a burning building, (a bit over the top, but low-hanging fruit), then yeah, I’d congratulate you on that here. Even for something more minor, (assuming I knew about it of course.) That responsibility, to my eyes at least, exists independently of personal opinion. I don’t have to LIKE you to acknowledge if you’ve done something well or what I would consider good. If someone I liked did that same thing, and I’d compliment them, then I should also compliment you.

    If someone I agree or like with takes an action I think is wrong, even if it’s against someone I disagree with or dislike, then I should not only say “Hey, that thing you did? Dude, that’s fucked up and you shouldn’t have done it.” to THEM, but I think I should tell the people the action was taken against that I think said action was wrong as well. (again, assuming I know.)

    The kind of thing that Thunderf00t did is not a hypothetical problem for me. I’ve had to deal with it myself before, and it sucks to have to lock things down because someone couldn’t remember what they should have learned in kindergarten: if it isn’t yours, keep your mitts off of it. The victim-blaming that surrounds such things further sticks in my craw.

    There are related arguments that can be made about emails or blog wars, but those are related, tangental even, and ones opinion in those cases doesn’t change a very simple fact: What thunderf00t did was wrong. I may never agree with you on anything else, my personal opinion of you and the rest may never change, we ain’t going to be taking long walks in the park anytime soon.

    But, what he did was wrong, and I think it sucks that he did it to anyone, even FTB.

Comments are closed.